Snort mailing list archives
Re: Problem with using 2 sensors
From: Kevin Ross <kevross33 () googlemail com>
Date: Sat, 8 Oct 2011 13:56:59 +0100
Yes. You just need to configure the database user to be snort@REMOTE SENSOR IP. Setup mysql to bind to the IP address, point barnyard on the remote sensor to log to the remote datababase and then allow access through firewall. i.e LOCAL: mysql configuration file: bind-address=LOCAL_IP iptables -I INPUT 1 -s REMOTE_SENSOR -p tcp --destination-port 3306 -j ACCEPT mysql -u root -p grant ALL PRIVILEGES on snort.* to snort@REMOTE_IP with GRANT option; SET PASSWORD FOR snort@REMOTE IP=PASSWORD(‘test’); REMOTE: Make sure to write snort Unified 2. Snort opening a database itself rather than just writing to unified2 slows snort down significantly as it cannot watch the network while doing this; over network will be even slower. Barnyard2.conf: output database: log, mssql, dbname=snort user=snort password=test host=REMOTE SENSOR IP restart barnyard Also in barnyard2.conf set the localhost name to be something meaningful to that sensor so when you look at snort say with BASE you can narrow down with sensor and also see what sensor is actually generating alert: i.e Internet_Sensor Server_Room1 Server_Room2 Remote_Site1 And so on. Otherwise you will have difficulty telling which sensors are actually generating the alerts. Also use emergingthreats.net signatures for more insight into malware and current events. http://www.emergingthreats.net/index.php?option=com_content&view=frontpage&Itemid=1 You can see rule updates for ET (Free) and ETPRO (paid) here: http://blog.emergingthreatspro.com/ Regards, Kev On 8 October 2011 02:19, Mike Boeckeler <boeckelr () gmail com> wrote:
Hi everyone, I wanted to thank all of you for giving such detailed responses. I am going to try to tackle this again tonite and this weekend. I posted my original message at the bottom of this in case you forgot the issues involved...after reading thru all of your responses I have another question or two: OK, so I will set up two instances of Snort, Barnyard2, 2 unique unified2 files etc.....but what about MySQL? Will the single MySQL database work with this setup? Or will I need to create a unique database for each sensor....and then a unique install of BASE for each sensor? Thanks again! Mike BTW I don't know where I got the -E command line option from. On Tue, Sep 27, 2011 at 4:27 PM, Lay, James <james.lay () wincofoods com>wrote:<snip> /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth1 & /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth2 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C /etc/snort/classification.config <snip> Mike, Just like folks are saying, you'll need two separate instances of both snort AND barnyard2 (I thought the same thing when I first started with barnyard...thought "I can run it once and it will read all my u2 files from all my running snort instances"...wrong ;)). I would copy snort.conf to snort1.conf and snort2.conf, and barnyard2.conf to barnyard21.conf and barnyard22.conf, then change where they log at least where the u2 files are kept for snort, and change to reflect the interface in both barnyard files. Change in your barnyard2 conf files: Barnyard21: config interface: eth1 Barnyard22: config interface: eth2 And in your snort conf files: Snort1.conf: output unified2: filename /var/log/snort1/snort1.u2 Snort2.conf: output unified2: filename /var/log/snort2/snort2.u2 Then run like so: /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort1.conf -i eth1 & /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort2.conf -i eth2 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard21.conf -d /var/log/snort/snort1 -f snort1.us -w /etc/snort/snort1.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config /usr/local/bin/barnyard2 -c /etc/snort/barnyard22.conf -d /var/log/snort/snort2 -f snort2.us -w /etc/snort/snort2.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config I've found separating out the .u2 files in different directories to be cleaner (although I have all instances logging to a single all.fast file for easy monitoring). You can change the names to whatever...I've found naming the interfaces (internal/external) and integrating it into the conf name works well too (intbyard2.conf, intsnort.conf). Hope that helps. James ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------------------- Original Message: On Tue, Sep 27, 2011 at 3:53 PM, Mike Boeckeler <boeckelr () gmail com> wrote:Hi everyone, A few days ago I posted a message about how no matter what I tried, I could not get my setup running. Needless to say my frustration level was off of the charts. Anyway I seem to have crossed most of the hurdles and have gotten almost everything working. I am running Ubuntu 10.04, Snort 2.9.1, Snortrules-snapshot-2910, BASE and Barnyard 2. I have 3 interfaces - eth0 goes to the Internet for updates etc.....eth1 is a sensor and it is located on a hub between my dsl modem and router. eth2 is also a sensor, and it is located on a SPAN port, monitoring traffic inside of my ASA. BTW I used the Snort/Debian install guide posted on Snort.org for most of this install. If I start up first Snort and then Barnyard2 like you see below, everything runs, but BASE only reports alerts on eth2 (inside my network). Also, it only reports that there is 1 interface. /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth1 & /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth2 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C /etc/snort/classification.config Now I know that traffic is getting thru by using Wireshark and tcpdump to watch eth1 and eth2 as I try to trigger alerts with nmap. In fact, if I forget about BASE, Barnyard and Mysql, and run snort like this: "snort -i eth1" in one terminal, and "snort -i eth2" in another terminal, both get the alerts that they should. So the problem must be in Mysql, Barnyard2, etc. I have tried using two different snort.confs - one for the command that starts the eth1 instance; and the other for the command that starts the eth2 instance, but to no avail. Does anybody have any ideas that might help? I have emailed Joel off-list and he provided some good insights on particular issues, but I still need help with the aforementioned problems. I greatly appreciate any help that you guys can provide. Thanks!Mike ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Problem with using 2 sensors Mike Boeckeler (Oct 07)
- Re: Problem with using 2 sensors James Lay (Oct 07)
- Re: Problem with using 2 sensors Kevin Ross (Oct 08)
- Re: Problem with using 2 sensors Mike Boeckeler (Oct 08)
- Re: Problem with using 2 sensors James Lay (Oct 08)
- Re: Problem with using 2 sensors Joel Esler (Oct 08)
- Re: Problem with using 2 sensors Kevin Ross (Oct 08)
- Re: Problem with using 2 sensors Mike Boeckeler (Oct 08)